Data Protection Act Breaches In Criminal Law
📜 Data Protection Act (DPA): Legal Framework
The main UK legislation governing personal data is:
Data Protection Act 1998 (repealed)
Data Protection Act 2018 (current law, aligns with UK GDPR)
Criminal offences for data misuse are primarily found under:
Section 170 of the DPA 2018 (formerly Section 55 of DPA 1998):
Offence to knowingly or recklessly obtain, disclose, or retain personal data without the consent of the data controller.
Other relevant provisions:
Section 171 – Alteration of data to prevent disclosure.
Section 173 – Offences by bodies corporate.
⚖️ Key Elements of a Criminal Data Protection Breach
To secure a conviction under the DPA, the prosecution must prove:
The defendant obtained, disclosed, or retained personal data.
The data was obtained without the consent of the data controller.
The defendant acted knowingly or recklessly.
The action was not covered by a legal defence (e.g. for crime prevention or journalism/public interest).
🧑⚖️ Landmark Cases on Criminal Breaches of Data Protection Law
1. R v. Shepherd (2003)
Facts:
A private investigator obtained personal data (e.g. phone records, vehicle registrations) by deception, impersonating officials.
Held:
Shepherd was convicted under Section 55 of the DPA 1998. He knowingly obtained personal data without consent.
Significance:
Set the standard that deception to acquire data is a criminal breach.
Showed how private investigators and third parties can be held criminally liable.
2. R v. Christopher Wilson (2005)
Facts:
Wilson, a former police officer, used his position to access personal information from police systems to check on an ex-partner and her new partner.
Held:
Convicted for misusing police data systems for personal reasons. His actions were unauthorised and in breach of the DPA.
Significance:
Reinforced that public officials can be prosecuted for unauthorised access.
Accessing data for non-official, personal reasons is a criminal offence.
3. R v. David Leak (2013)
Facts:
A police community support officer accessed police systems to obtain data about individuals he had a personal interest in.
Held:
Convicted under DPA for knowingly accessing data without proper purpose.
Significance:
Showed that internal misuse of systems (even without external disclosure) can amount to a criminal breach.
Highlighted the importance of intent—even if data is not misused further, unauthorised access is enough.
4. R v. Amanda Cox (2015)
Facts:
Amanda Cox, an NHS employee, accessed the medical records of friends and celebrities out of curiosity, not for medical reasons.
Held:
She was found guilty of breaching DPA (s55) and fined. The act was considered a "serious invasion of privacy".
Significance:
One of the first cases showing "snooping" on medical records for curiosity can be a criminal act.
Reinforced the message that data misuse in sensitive sectors (like health) is taken seriously.
5. R v. Keogh (2008)
Facts:
A civil servant leaked a classified memo to a journalist. He was charged under the Official Secrets Act but acquitted.
Relevance to DPA:
Though not convicted under the DPA, the case raised concerns about the clash between public interest disclosures and data privacy.
Significance:
Highlighted the tension between freedom of expression / whistleblowing and data protection.
Influenced discussions around public interest defences under the DPA.
6. R v. Mohammed Azam (2017)
Facts:
Azam, a former car insurance worker, sold customer data to personal injury claims firms.
Held:
Convicted under Section 55 DPA 1998, fined £5,000 and ordered to pay prosecution costs.
Significance:
Clear example of data being monetised illegally.
Demonstrated that even after leaving employment, using previously accessed data is still a crime.
7. R v. Andrew Crossley (2011)
Facts:
Crossley, a solicitor, used personal data of internet users to send threatening letters demanding payment for alleged copyright infringement.
Held:
Investigated by the Information Commissioner for misuse of data, including lack of proper data protection compliance.
Significance:
Though not imprisoned, he was struck off as a solicitor.
Case shows that misusing personal data for gain or harassment can lead to criminal or professional sanctions.
📊 Summary of Key Legal Principles
| Principle | Case | Legal Impact |
|---|---|---|
| Deception to obtain data is criminal | R v. Shepherd | Set precedent for private investigators |
| Police misuse of data systems is a breach | R v. Wilson, R v. Leak | Even internal access without disclosure is illegal |
| Curiosity snooping is criminal | R v. Amanda Cox | Even without malicious intent, data access must be lawful |
| Selling customer data = DPA offence | R v. Azam | Data use after employment = criminal |
| Public interest defence is limited | R v. Keogh | Raised debate about whistleblowing vs privacy |
| Professional misuse of data has consequences | R v. Crossley | DPA breaches can lead to career-ending sanctions |
⚠️ Penalties for Criminal Breach under the DPA
Under the Data Protection Act 2018, criminal penalties for unlawful obtaining or disclosure of personal data include:
Fines (unlimited in the Magistrates' Court or Crown Court).
Criminal records (even if only fined).
In some cases, custodial sentences, especially for repeated or commercial misuse.
Confiscation of proceeds under the Proceeds of Crime Act 2002.
📝 Conclusion
Criminal prosecution under the Data Protection Act plays a key role in deterring unlawful access and misuse of personal data. Courts consistently uphold that:
Accessing data without authorisation, even for curiosity, is unlawful.
Public sector employees, such as police and NHS staff, are held to higher standards.
Selling, sharing, or leaking personal data—whether for profit or revenge—is a serious criminal offence.
The law balances privacy rights with public interest, but defences are narrow.
RELATED Blog
0 comments